In an amicus brief filed in Epic Games v. Apple Inc., the Center for Cybersecurity Policy and Law (CCPL) urges the 9th Circuit to ensure that competition remedies do not undermine security.

Specifically, the Center is asking the Ninth Circuit to vacate parts of a district court injunction that: 

  1. Guts Apple’s ability to vet or place other security controls on external links included in apps on the Apple app store.
  2. Precludes Apple from adequately warning users of the potential security and privacy risks associated with such links. 

In a previous ruling, the Ninth Circuit concluded that security and privacy are procompetitive features of the mobile device ecosystem. We agree. By precluding Apple from doing key vetting of external links, and by restricting its ability to adequately inform users of the risks, the district court’s injunction risks introducing new security and privacy risks into the mobile device ecosystem. 

As CCPL has said in its prior work on mobile security, centralized vetting of apps that are installed on users' devices has been critical to ensuring the security and privacy of users – and thus the security of the broader digital ecosystem. Vetting of external links that are included in apps is equally important, especially given the rise and sophistication of threat actors that seek access to the vast amounts of personal, financial, and business data stored on our phones, and the possibility of exploiting authentication tokens stored on phones to access broader systems and networks.

Background

This case dates back to 2020, when Epic Games – the maker of Fortnite – sued Apple for alleged antitrust violations related to rules for its app store and restrictions on the use of out-of-app payments. In a 2021 opinion, the district court ruled in favor of Epic in part and in favor of Apple in part, and ultimately issued an injunction that required Apple to allow out-of-app purchases. 

In 2023, the Ninth Circuit upheld the injunction – although ruled in favor of Apple in other parts of the case. The Ninth Circuit also rejected Epic’s claim that privacy and security considerations were out of scope in the case. To the contrary, the Court found that implementation of security and privacy features are “plainly procompetitive rationales” that make the mobile market more diverse. In the court’s words

“[B]y improving security and privacy features, [Apple] is tapping into consumer demand and differentiating its products from those of its competitors … Users who value security and privacy can select (by purchasing an iPhone) Apple’s closed platform and pay a marginally higher price for apps.” 

We also made similar points in our 2022 amicus brief.

After a several year stay, the injunction went into effect in January 2024. Apple allowed for out-of-app purchases, as required by the injunction, but implemented certain requirements for doing so. Specifically, Apple required the use of uniform styles in directing users to external purchasing links, curtailed the use of dynamic links, and mandated disclosures to users making clear that Apple did not guarantee the security and privacy of transactions made on external links. 

Epic challenged these and other requirements, and on April 30 the district court placed limits on Apple’s ability to vet and review external links, warn users of the potential risks associated with such links, and restrict categories of apps with poor security records. 

Enter the CCPL Amicus Brief

The CCPL’s brief addresses the threat landscape, the particular risks posed by external links, and the importance of centralized vetting and adequate notice to users about security and privacy risks. And it urges the Court to vacate the portions of the April 30th injunction that increase security and privacy risks. 

The brief unfolds in several parts:

  • Lays out the threat landscape: Cyber threats posed by adversary nation-states and cybercriminals are on the rise – increasing in both frequency and sophistication. Despite this, the mobile ecosystem has remained comparatively secure thanks to rigorous, multilayered protections from platform providers. That said, mobile devices carry an enormous amount of personal, financial, and business data, and, as a result, are an increasingly attractive target for attackers. A malicious link can introduce spyware, extract user data, or collect passwords or tokens that can be used to gain access into government and corporate systems. The risk is not hypothetical. According to the FBI and security experts, phishing and spoofing campaigns increasingly rely on precisely the types of external links that are at issue in this case.
  • Details the dangers of external links: External links are an increasingly common vector for online deception. These links, embedded within apps, redirect users to third-party websites outside the control of the platform. This opens the door to malicious actors redirecting users to deceptive sites designed to steal personal data or install malicious software without a user understanding what is happening. 
  • Explains the risks of dynamic links: Unlike static links, which are fixed and unchanging, dynamic links may vary with each user or session. Because they are dynamic, such links cannot be pre-vetted by Apple or any app store. Malicious actors can exploit this variability to redirect traffic to compromised sites, harvest personal data, or inject malware—all without the user realizing anything has changed.
  • Emphasizes the value of centralized vetting: As the Center has on its prior work on mobile security, vetting and review by centralized app stores, such as the Apple App Store and Google Play Store, has reduced security risks, improved app quality, and protected users from malicious software. Vetting and review is equally important with respect to external links that are embedded into apps, which, as described above, carry potential security and privacy risks; without sufficient scrutiny, these links can quietly bypass core safeguards, exposing users to surveillance, profiling, and exploitation. 
  • Highlights the importance of giving users sufficient information to make informed choices about what links to click: Users expect their devices to be secure. As a result, it is critically important for users to be informed of security risks and empowered to make informed choices, particularly when expected protections are diminished or removed.

In sum, the CCPL urges the Court to vacate those parts of the lower court’s injunction that restrict Apple’s ability to effectively vet external links and to adequately inform users of potential risks that such links pose. 

Jennifer Daskal, Heather West & Tanvi Chopra

Read Next

Competition and Security Need to Go Hand-in-Hand

In an amicus curiae brief filed in United States v. Google, the Center urges the Court to account for cybersecurity – and public safety – in mandating remedies for the case.

The Center for Cybersecurity Policy and Law's Amicus Brief - United States Vs. Google, LLC

The Center for Cybersecurity Policy and Law's Amicus Brief - United States Vs. Google, LLC

Securing the Future of AI: What’s Next?

The intersection of AI and security is a hot topic but we find that people haven’t spent time to understand what is truly new about cybersecurity, and where organizations need to bolster defenses as AI use cases promulgate.